Twitter Says a Bug Exposed DMs and Protected Tweets to Developers

Some Twitter users recently got a message saying their direct messages or protected tweets may have accidentally been sent to developers “who were not authorized to receive them.”

Twitter said that the issue affected 1% of users and required a very specific set of circumstances to happen. Additionally, Twitter said it had no evidence any developers actually did receive any messages they were not intended to, but said it couldn’t rule out the possibility that it happened either. However, users voiced concern that the bug was found Sept. 10 and were only notified beginning Friday.

The fact that this is the second security breach this year didn’t help matters, either.

Earlier this year, Twitter said it mistakenly saved users passwords in plaintext in an internal log that was used by staff and asked users to change their passwords. On top of that, Twitter is also still receiving heat after many users were found locked out of their accounts. Twitter said the action was taken against users who were under 13 or whose birthdays showed they may have been under 13 when they signed up for the service.

More details on the conditions needed for the problem to occur can be found in its blog post on the issue.

Consumers want privacy. But we also take eager advantage of products, apps, and tools that rely on our personal data. These conflicting demands can make it challenging for companies to determine how best to both protect and make use of their customers’ data. They can also make it challenging to innovate, as executives balance privacy concerns with product development.
However, a growing number of companies are adopting a proactive and holistic approach to privacy and innovation, inviting privacy leaders to collaborate with product teams from the outset. In a panel entitled “The Economy of Trust: How Data Privacy Is Driving Innovation” at the fourth annual Fast Company Innovation Festival on October 24, three experts discussed corporate culture, data breaches, and the opportunities for growth that data privacy presents. Here is an edited excerpt from that conversation.
In the past, privacy issues were often treated as a pesky afterthought. What are your peers saying about privacy these days?
William Min, chief privacy and data governance officer, Western Union: Companies that think they have unlimited rights to personal information and can use it for whatever they want are going to get left back.
Mathew Newfield, chief information security officer, Unisys: In a lot of the organizations that I work with, as well as my own, we’re starting to see a fundamental shift at the executive and board levels, where people are coming to the realization that it’s their data, too. They’re thinking, this is information about myself and my family and my friends all over the world. So how do I want my data handled? And they’re bringing that viewpoint directly into the business.
Derek Han, principal cyber risk and data privacy specialist, Grant Thornton: The core privacy issue today is data management: not only how to use data, but how to protect data. And then also being transparent about how we use data. We’re also starting to think about eventually transferring some ownership of that data to individuals, as opposed to the company. Privacy leaders are focused not only on addressing compliance requirements, but also thinking about how we can tackle areas such as data management to help the business become stronger and grow faster.
The unfortunate reality for most brands seems to be that it’s not if you’ll be breached, it’s when. How does that dynamic affect innovation?
MN: If you look at the biggest cyber events in the last few years, you’ll see that the companies that were transparent did not see innovation stifled at all. You just have to work immediately and openly with regulators, law enforcement, and the people who are impacted.
The problem is a lot of corporations want to wait until they know everything before they say anything, which is the exact opposite of what you should do. But if you’re transparent, a breach doesn’t have to stifle innovation.
WM: It’s critical to make sure that you’ve learned lessons from a breach. You have to continue to improve your security processes and think critically about the type of data that you’re collecting. For instance, did you really need to have that type of information in that particular database?
It’s an ongoing exercise. And sometimes, unfortunately, you learn lessons from situations with bad outcomes. But I’ve had experiences where public reaction was actually positive because of the way a breach was handled. By being transparent with those affected by the incident, customers should feel, “The company took this seriously. I’m going to trust that they’ve actually fixed the problem. They’re more secure than they probably were before. So they’ve earned my trust back.”
There’s a perception that corporate privacy executives mostly like to tell business leaders “no.” Is that culture changing?
MN: A lot of my peers are very old school. They’re focused on risk avoidance and risk transference. Their response to a new idea is, “That sounds scary to me. I don’t want anything to do with it.”
The only way to change that attitude is through collaboration and lots of communication. It takes time, but you can do it pretty easily if you really want to. A lot of companies in the Fortune 500 have changed their cultures very successfully. People are starting to catch on. It’s not so scary or so revolutionary anymore.
DH: There’s an emerging privacy mandate that’s driving people to work more closely. I work with our privacy officer, legal counsel, and information security professionals, and then also business, IT, and operations folks. When you get all these people working together, creativity will come out of it.
For example, we’re having a lot of conversations about privacy by design: making privacy not only a compliance feature, but a customizable benefit. We talk about offering customers privacy by product and even by feature.
WM: I work hard to build relationships with colleagues on the business side, so my team and I can get plugged in early on. There are a lot of solutions out there, and it’s very, very rare that we can’t come up with something that actually makes sense. But it’s a lot easier to do it up front than to come in at the eleventh hour when a product is ready to roll out but hasn’t been vetted properly.
Where do you see opportunities for innovation related to privacy?
DH: Some of my clients are starting to come up with really innovative solutions related to searching [for] and extracting user information. In the next three years, I can guarantee there’ll be some innovation to actually sell a privacy solution as a product. You’ll see very tangible business value from the privacy field.
MN: It’s going to be interesting to see some of the ways blockchain is adapted for privacy. There are also interesting conversations happening about user names and passwords being an antiquated form of protecting your privacy.
WM: Along with changes in technology, there are definitely going to be dilemmas. The companies that figure out how to solve some of those issues will continue to thrive.
Take artificial intelligence and machine learning. On the one hand, from a pure privacy-regulatory standpoint, you should only hold and capture the least amount of data that you really need for the purposes for which you need to process it.
But in order to build AI models and make them more valuable and accurate, more data is better. That’s the sort of issue that’s going to come up increasingly often. People like us get to help figure out how we solve that to address both the business needs and the needs of our customers.
***
In addition to the issues addressed above, all three of our experts agree that it’s highly likely that Congress will pass a federal data privacy law at some point. In an ideal world, they say, the legislation would incorporate existing best practices, meaning companies that are up to date on protecting consumer data would have little to fear.
This article was created for and commissioned by Grant Thornton.

KUALA LUMPUR (Dec 18): The "fire sale" of luxury superyacht Equanimity, which will be transacted at half of its original price, is a failure that is to be blamed on the Malaysian government, claims fugitive financier Low Taek Jho (Jho Low).
“The predictable failure of the Mahathir government to hold a successful auction of the yacht Equanimity is another example of a Mahathir regime prioritizing illegal acts over the rule of law in a transparent effort to score political points,” an unnamed spokesman of Low said in a statement issued through Low’s attorneys.
Language
Undefined